Abuse Document 


Gill Formstack 


Terms of Service 

Formstack explicitly states in our terms of service that any attempt at using our 
services for phishing or spamming is prohibited and will lead to account termination. 
Our terms of service are available at https://www.formstack.com/terms. 


Abuse Reporting 

Formstack offers two ways to report abuse of our systems. The first method is by 
using the abuse form available at https://www.formstack.com/abuse. The second is 
by emailing detailed abuse information to our abuse email address at 
abuse@formstack.com. 


When a report is collected through our website or through our abuse email, we 
generate a priority ticket in our Support system and a member of our support team 
evaluates the forms and accounts involved. Once the abuse report has been 
reviewed, we initiate a warning and/or deactivation process depending on the 
severity of the abuse. 


Phishing Forms 

Formstack takes phishing very seriously. To counteract any Formstack forms or 
emails that are being used for phishing, we’ve implemented a process of scanning 
and validating all forms and emails that originate from our servers. 


Form Scanning 

Formstack scans forms for phishing when any of the three following actions are 
taken. The first scan is performed when the form owner modifies a form field in 
the form builder. The second scan is performed when the live form is viewed, and 
the third scan is performed when the live form is submitted. If the form fails at any 
point during these three scans, we add the form to our phish list. If the scan finds 
that the form is over a certain threshold, the form is automatically disabled. 


Phish List 

The phish list is an internal list of forms that have failed during one of the scans 
mentioned above. The phish list is checked Monday through Friday (business 
days) by our support team. Forms caught in the phish list are reviewed and, if 
found to be in violation of our terms of service, are flagged. The owners of the 
form are sent emails explaining why their forms have been flagged and are given 
48 hours to correct the issue. If the form owner has not corrected the issue after 
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48 hours, the flagged forms are deactivated. The support team also has the 
ability to automatically deactivate forms without going through the warning 
process if necessary. 


SPAM/Phishing Emails 


Email Types 

Formstack sends three different types of email. 

The first type of email is a Confirmation email. This is an email that is setup on a 
form-by-form basis by the form owner and is used to send the form submitter an 
email regarding their submission. 


The second type of email is a Notification email. This is an email that is setup on a 
form-by-form basis by the form owner and is used to send the form owner an 
email regarding a submission on their form. 


The third type of email is a Formstack System email. This email is created by 
Formstack and does not contain user generated content. 


Email Scanning 

The only viable email type for abuse is a Confirmation email. When a 
Confirmation email is created, edited, or sent, it is scanned for content that 
violates our terms of service. If a Confirmation email fails our email scan, it is 
added to the spam list. 


Spam List 

The spam list is similar to our phish list. It’s an internal list of Confirmation emails 
that have failed our email scans. The spam list is checked Monday through Friday 
(business days) by our support team. 


Spam Prevention Limits 

Formstack limits the number of emails that can be sent from a Formstack account 
based on the type of account. 

When a Formstack account is first created, it is placed on a 14 day free trial. 


During this trialing period, all forms on the trialing account are rate limited to a 
maximum of 10 submissions per minute. If a form exceeds this limit, it is 
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automatically deactivated. 


Once the 14 day free trial has expired, the Formstack account is converted into a 
free account. Free accounts are unable to send Confirmation emails. 


All Formstack account types have a limit of three Confirmation emails per 
submission. 


Email Validation 

All outgoing emails from Formstack servers are signed using DKIM. All outgoing 
emails being sent from Formstack servers with a Formstack email address are 
verified using SPF records. If an email comes from a Formstack server but with a 
non-Formstack email address, it is up to the owner of the sending domain to add 
Formstack's servers to their SPF records. 


Infrastructure 


Formstack IP Addresses 
Formstack uses four different servers to host forms and send email. The IP 
addresses of these servers are: 


64.77109195 
64.77109196 
64.77109199 
64.77109.202 


Formstack Domains 

Formstack servers are only used to host the Formstack application. The 
Formstack application is available through two different domains. The first 
domain is formstack.com. This is Formstack’s primary domain and is the source of 
the majority of all web traffic to the Formstack application. The second domain is 
formbin.com. This is Formstack’s backup domain and is primarily used by paid 
Formstack accounts using our white label service. 
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